How to create aes-256 encrypted zip files in your browser
- Step 1Open the tool (Pro plan required) — Go to /archive-tools/encrypted-zip-creator. The Encrypted ZIP Creator has
minTier: pro, so free accounts see a plan overlay instead of the dropzone. Sign in on Pro, Pro+Media, or Developer to use it. - Step 2Drop the files you want to encrypt — The dropzone reads 'Drop files to process' and accepts any file type (not just archives). Drag in one file or a whole selection — it is multi-file. Each file's relative path (
webkitRelativePathwhen present, otherwise its name) becomes its entry name, so nested structure is kept. - Step 3Type a strong password — The only option control is a single password field (placeholder: 'At least 12 characters recommended'). The processor rejects anything under 8 characters with 'Choose a password of at least 8 characters (12+ recommended).' Below it the panel warns: 'AES-256 strength is fixed at maximum. Use a password manager — there is no recovery.'
- Step 4Click Generate — The action button on this generative tool reads Generate (not Process). zip.js opens a ZipWriter with
{ password, encryptionStrength: 3 }and adds each file as an AES-256-encrypted entry, then closes the archive into a Blob. - Step 5Read the result metrics — The result panel shows
Files(entry count),Encryption: AES-256, and aSavedpercentage (original bytes vs encrypted-ZIP bytes), plus Original / Output sizes. Encrypted, already-compressed inputs (JPEG, MP4) often show ~0% saved — that is expected, AES output is incompressible. - Step 6Download and store the password — Click Download to save
encrypted.ziplocally. Save the password in a manager (1Password, Bitwarden, KeePassXC) before you send the file — AES-256 with a strong password has no recovery path, and JAD never sees or stores it.
What the Encrypted ZIP Creator actually does
Grounded in lib/archive/archive-processor.ts (createEncryptedZip), archive-tool-client.tsx (OptionsPanel), and the registry/schema. Only the password control is rendered for this tool.
| Aspect | Real behaviour | Source of truth |
|---|---|---|
| Engine | @zip.js/zip.js ZipWriter — NOT fflate or libarchive. fflate cannot write AES, so this path is zip.js-only | createEncryptedZip calls loadZipJs() then new zipjs.ZipWriter(writer, { password, encryptionStrength: 3 }) |
| Cipher | WinZip AES-256 (AE-2), strength 3, hardcoded — there is no AES-128/192 toggle and no ZipCrypto | encryptionStrength: 3 literal in the processor; UI note 'AES-256 strength is fixed at maximum' |
| Options shown | One field: password (type=password). The compressionLevel value exists in the schema but is not rendered and not used by this handler | OptionsPanel case "encrypted-zip-creator" renders only the password input; createEncryptedZip never reads compressionLevel |
| Input | Generative + multi-file: drop one or more files of any type; accept is *. Not a folder picker (only folder-to-zip / selective-zipper expose that) | GENERATIVE_SLUGS + MULTI_FILE_SLUGS include this slug; accept="*"; FOLDER_PICKER_SLUGS does not |
| Output | A single encrypted.zip, mimeType application/zip, one AES-256 entry per input file, structure preserved from relative paths | filename: "encrypted.zip", zipWriter.add(f.webkitRelativePath || f.name, reader) |
| Password floor | Minimum 8 characters or the run throws; UI placeholder recommends 12+ | if (password.length < 8) throw new Error(...) |
Tier limits for the archive family
From lib/tier-limits.ts (archive family). fileBytes is per file; entryLimit is per archive; batchFiles is how many files you can drop. This is a Pro-tier tool, so the free row only matters for the upgrade overlay.
| Tier | Max size per file | Entries per archive | Files per job | Can use this tool? |
|---|---|---|---|---|
| Free | 50 MB | 500 | 1 | No — plan overlay (minTier is pro) |
| Pro | 500 MB | 50,000 | 20 | Yes |
| Pro+Media | 2 GB | 500,000 | 100 | Yes |
| Developer | 2 GB | 500,000 | Unlimited | Yes |
AES-256 ZIP vs the alternatives
Why this tool exists and when a sibling is the better fit. The other JAD zip-builders use fflate and produce UNENCRYPTED archives.
| Method | Confidentiality | Made by |
|---|---|---|
| JAD Encrypted ZIP Creator (this tool) | Strong — per-entry AES-256 (AE-2) | zip.js ZipWriter, strength 3 |
| Plain ZIP via folder-to-zip / selective-zipper / streaming-zip-builder | None — no password is ever applied | fflate zipSync (no AES support) |
| Legacy ZipCrypto (WinZip/Windows password) | Broken — known-plaintext key recovery in seconds | Not generated by JAD at all |
| Filenames inside the archive | Visible even when encrypted — AES-2 encrypts entry *contents*, not the central-directory names | ZIP format limitation, not a JAD choice |
Cookbook
Concrete runs against the real tool. Output is always a single encrypted.zip; sizes shown are illustrative.
Encrypt a single document
The simplest case: one file in, one encrypted ZIP out. The single entry keeps its original name.
Drop: Q2-board-deck.pdf (4.2 MB) Password: correct-horse-battery-staple Click: Generate Result metrics: Files: 1 Encryption: AES-256 Saved: 6.3% Original: 4.2 MB Output: 3.9 MB Download: encrypted.zip └─ Q2-board-deck.pdf (AES-256 entry) Recipient: 7-Zip / Keka / WinZip → enter password → opens.
Encrypt many files at once
The tool is multi-file. Drop a whole selection; every file becomes its own AES-256 entry under one password. Pro caps the job at 20 files.
Drop (Pro tier, 12 files): contract-a.docx, contract-b.docx, ... invoice-12.pdf Password: 9!fJ2qmZ-vault-2026 Click: Generate Result metrics: Files: 12 Encryption: AES-256 Saved: 41.0% Download: encrypted.zip (12 encrypted entries)
Preserve folder structure
When the picked files carry a relative path (webkitRelativePath), the entry name keeps that path — so an extracted archive rebuilds the original tree.
Picked files carry paths: src/index.ts src/lib/util.ts README.md Entry names written into encrypted.zip: src/index.ts src/lib/util.ts README.md → unzip -P <pw> encrypted.zip rebuilds src/ + README.md
Password too short — rejected before any work
The processor enforces an 8-character floor. Anything shorter throws immediately; nothing is written.
Drop: secrets.env Password: pass123 (7 chars) Click: Generate Error: Choose a password of at least 8 characters (12+ recommended). Fix: use a 12+ character passphrase from a password manager.
Already-encrypted input → near-zero compression
AES output is statistically random, so it does not compress. If your inputs are already compressed (JPEG, MP4, a ZIP) the Saved figure will hover near 0% — this is correct, not a bug.
Drop: holiday.mp4 (180 MB), photo.jpg (4 MB) Password: travel-2026-strong-pass Click: Generate Result metrics: Files: 2 Encryption: AES-256 Saved: 0.2% Original: 184 MB Output: 184 MB Expected: media is entropy-dense; encryption adds no shrink.
Edge cases and what actually happens
Free account opens the tool
Blocked (upgrade)The Encrypted ZIP Creator has minTier: pro. A free or signed-out user does not see the dropzone — the client renders a ProOverlay reading 'AES-256 Encrypted ZIP Creator requires the Pro plan.' Upgrade to Pro, Pro+Media, or Developer to access it. Free-tier marketing copy that calls this tool 'free' is wrong.
Password under 8 characters
RejectedcreateEncryptedZip throws 'Choose a password of at least 8 characters (12+ recommended).' before reading any file bytes. The UI placeholder recommends 12+; treat 8 as the hard floor, not the target.
No files dropped
RejectedWith an empty file list the processor throws 'Drop one or more files to encrypt.' The Generate button runs the same path, so a click with nothing staged surfaces this message immediately.
Lost password
UnrecoverableAES-256 with a strong password is computationally infeasible to brute-force, and JAD never stores it (the file is built in your tab). There is no reset, no backdoor, no recovery. Store the password in a manager before sharing — the UI says so explicitly.
Filenames are still visible inside the encrypted ZIP
By designWinZip AE-2 encrypts each entry's *contents*, not the central-directory metadata. Anyone with the file can list the entry names (unzip -l, 7-Zip) without the password — only the data needs the password to extract. If the names themselves are sensitive, encrypt under a generic name (e.g. zip everything into one inner archive first, then encrypt that single file).
Expecting a compression-level slider
Not presentOther JAD compressors expose a 0-9 level, but the Encrypted ZIP Creator's options panel renders only the password field. The compressionLevel value in the option schema is neither shown nor used by createEncryptedZip — deflate runs at the zip.js default. Use smart-archive-compressor if level control matters, then there is no encryption on that path.
Output is always named encrypted.zip
ExpectedThe handler hardcodes filename: "encrypted.zip". The download always lands as encrypted.zip regardless of input names — rename it yourself after download if you need a specific filename.
Very large job exhausts browser memory
Memory boundzip.js builds the result as a Blob in memory. Pro+Media/Developer allow up to 2 GB per file, but encrypting a multi-GB selection in a single tab can hit the browser's allocation ceiling. On paid tiers the job can auto-route to the local @jadapps/runner (headless Chromium) which has more headroom; otherwise split the work or build a plain large ZIP with streaming-zip-builder first.
Recipient's unzipper rejects the password
Check the toolVery old or minimal unzippers do not implement the AES extra field (0x9901) and report a 'wrong password' or 'unsupported method' error even with the correct password. 7-Zip, Keka, WinZip, and modern unzip builds all support it. To confirm the archive itself is fine, run archive-password-tester with the password — it verifies the AES entries decrypt.
Frequently asked questions
Is this real AES-256 or the old broken ZIP password?
Real AES-256. The processor opens the zip.js ZipWriter with encryptionStrength: 3, which is WinZip's AE-2 specification (AES-256, written as extra field 0x9901). JAD does not generate legacy ZipCrypto at all — that cipher is broken by a known-plaintext attack that recovers the key in seconds.
Are my files uploaded?
No. The archive is built entirely in your browser by @zip.js/zip.js. The result panel shows a 0 bytes uploaded badge, and you can confirm it in DevTools → Network — the only requests are for the page assets, never your file data or password.
Is this free?
No. The Encrypted ZIP Creator is a Pro-tier tool (minTier: pro). Free or signed-out users get a plan overlay instead of the dropzone. AES encryption per entry is heavier than the free fflate compressors, which is why it sits behind Pro.
Can I choose AES-128 or AES-192 instead?
No. Strength is hardcoded to 3 (AES-256) and the UI states 'AES-256 strength is fixed at maximum.' There is intentionally no weaker setting — you cannot accidentally downgrade or ship an unencrypted archive from this tool.
What is the minimum password length?
Eight characters — the processor throws 'Choose a password of at least 8 characters (12+ recommended).' for anything shorter. The input placeholder recommends at least 12; use a long passphrase from a password manager.
Can I encrypt a whole folder?
You can encrypt many files that came from a folder — when the picked files carry a relative path it is preserved as the entry name, so the tree rebuilds on extraction. This tool is not a dedicated folder picker, though; for one-click 'pick a folder' use folder-to-zip, but note that tool produces an UNENCRYPTED ZIP.
Why is the 'Saved' percentage near zero?
Encrypted bytes are statistically random and do not compress, and already-compressed inputs (JPEG, MP4, MP3, existing ZIPs) have little headroom regardless. A low or 0% Saved figure on media or pre-compressed input is expected. Text and source code still show meaningful savings.
Will the recipient need JAD or any special software?
No. The output is a standard ZIP with WinZip AES-256 entries. 7-Zip, Keka, WinZip, and modern unzip builds open it with just the password. There is no JAD-specific wrapper or metadata.
Can I forget the password and recover the file?
No. AES-256 with a strong password is infeasible to brute-force and JAD stores nothing. Save the password in a manager (1Password, Bitwarden, KeePassXC) before sharing — there is no recovery path.
Are the filenames inside hidden too?
No — AE-2 encrypts entry contents, not the central-directory names. Someone with the file can list entry names without the password (unzip -l). If names are sensitive, wrap everything in one inner archive under a generic name first, then encrypt that single file here.
How many files and how large can I encrypt?
By tier: Pro is 500 MB per file / 50,000 entries / 20 files per job; Pro+Media is 2 GB / 500,000 / 100; Developer is 2 GB / 500,000 / unlimited files. Encrypting close to the size ceiling in a single tab can hit browser memory — paid tiers can offload to the local runner.
How do I verify the archive opens before I send it?
Run archive-password-tester with the same password — it opens the archive with zip.js and confirms the AES entries decrypt. To detect whether any ZIP is encrypted at all, use encrypted-archive-detector.
Can I get a SHA-256 of the encrypted ZIP for integrity?
Yes — feed the downloaded encrypted.zip to checksum-generator to emit a SHA-256 (or SHA-1 / MD5) digest you can publish alongside the file so the recipient can confirm it arrived intact.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.